Rules of Cyberwar: Tallin Manual codifies how international law applies to state-sponsored online attacks

– see below to download –

State-sponsored cyber-attacks must avoid sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations, according to the first advisory manual on cyber-warfare produced for Nato, which predicts that online attacks could in future trigger full-blown military conflicts.

The attempt to codify how international law applies to online attacks includes a provision for states to respond with conventional force if aggression through hacking into computer networks by another state results in death or significant damage to property.

The Tallin Manual project brought together an independent group of over 20 most distinguished international legal practitioners and scholars in the world in order to assess how the jus ad bellum (the international law governing the use of force) and the jus in bello (law of armed conflict or international humanitarian law) should be interpreted in the cyber context. Highly qualified technical experts assisted this “International Group of Experts” in the drafting of the Manual. Furthermore, the International Committee of the Red Cross, United States Cyber Command and NATO’s Allied Command Transformation provided observers to this process.

The project took three years and started in 2008 following a wave of cyber-attacks on the Baltic state from inside Russia. The denial-of-service attacks crashed websites and damaged Estonia’s infrastructure, raising awareness about the damage that online operations can inflict in an increasingly computer-dependent era.

The Tallinn manual, described as “the most important document in the law of cyber-warfare. It will be highly useful.” contains 95 “black letter rules”.

The manual suggests “proportionate counter-measures” against online attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property.

Rule 80 says that, in accordance with Geneva conventions, attacks on certain key civilian sites are outlawed: “In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber-attacks against works an installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, as well as installations located in their vicinity.” Hospitals and medical units are also protected as they would be under rules governing traditional warfare.

The handbook is not official Nato document or policy but an advisory manual. It is published by Cambridge University Press.